9 July 2018

F5 ASM - Denial of Service (DoS) Mitigation

From
time to time, I talk about techniques
and methods of DoS attacks with
workmates and customers, and when we speak
about it, most of them always think about DDoS
Attacks where a botnet flood
the targeted server with excessive bandwidth consumption. However, we
shouldn’t forget that an attacker
can also make services unavailable with
just requesting heavy URLs. Therefore, it’s
not necessary to have lots of resources, neither a botnet, to make
services unavailable because it can also be accomplish with a
simple DoS
Attack.

Mainly,
there are three DoS attack categories: volumetric attacks, computational attacks and application attacks. Firstly,
volumetric attacks, likeUDP Flood Attacks
or Amplification
DDoS Attacks,which are the
most known DoS attacks. Secondly,
computational attacks, like SYN Flood
Attacks, are less known than volumetric attacks where attackers want
to exhaust resources such as firewall
session tables. Finally, application
attacks, like HTTP Flood Attacks, are easy
to execute with DoS attack tools such as LOIC or slowloris. However,
these last attacks are little known by companies and most of them even
don’t know how to mitigate it
nor which mitigation tools are on the market.

DoS Attacks Categories

When
we are mitigating DoS attacks, it’s
important to have a good classification
between malicious traffic and legitimate traffic because the
mitigation process could also block legitimate users when DoS
mitigation tools are not well configured. In addition, DoS attacks
are increasingly sophisticated and targeted which
are delivered in SSL traffic as well against servers and
applications. As a result, behavioural analytics, ultra-fast
automated detection and comprehensive protection are required for a
good mitigation strategy.

F5
BIG-IP WAF is also able to detect
and block DoS attacks. We can watch in the next video how I configure
a DoS profile to detect and block attacks
based in TPS (Transactions Per Second). When the bot iMacros requests
two transactions per second, the DoS profile blocks requests and the
DoS attack is stopped. In addition, the video shows how to
block DoS attacks with a CAPTCHA challenge to find out who is behind
the web server whether a bot or a human being. Last but not least,
DoS reporting are very important to know what’s going on and what happened in the services.